Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
"A quick batch of bug fixes:
1) Fix build with IPV6 disabled, from Eric Dumazet.
2) Several more cases of caching SKB data pointers across calls to
pskb_may_pull(), thus referencing potentially free'd memory. From
Li RongQing.
3) DSA phy code tests operation presence improperly, instead of going:
if (x->ops->foo)
r = x->ops->foo(args);
it was going:
if (x->ops->foo(args))
r = x->ops->foo(args);
Fix from Andew Lunn"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
Net: DSA: Fix checking for get_phy_flags function
ipv6: fix a potential use after free in sit.c
ipv6: fix a potential use after free in ip6_offload.c
ipv4: fix a potential use after free in gre_offload.c
tcp: fix build error if IPv6 is not enabled
diff --git a/include/net/tcp.h b/include/net/tcp.h
index c9766f8..4062b4f 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -730,6 +730,7 @@
#define TCP_SKB_CB(__skb) ((struct tcp_skb_cb *)&((__skb)->cb[0]))
+#if IS_ENABLED(CONFIG_IPV6)
/* This is the variant of inet6_iif() that must be used by TCP,
* as TCP moves IP6CB into a different location in skb->cb[]
*/
@@ -737,6 +738,7 @@
{
return TCP_SKB_CB(skb)->header.h6.iif;
}
+#endif
/* Due to TSO, an SKB can be composed of multiple actual
* packets. To keep these tracked properly, we use this.
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index a851e9f..6d18174 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -599,7 +599,7 @@
netif_carrier_off(slave_dev);
if (p->phy != NULL) {
- if (ds->drv->get_phy_flags(ds, port))
+ if (ds->drv->get_phy_flags)
p->phy->dev_flags |= ds->drv->get_phy_flags(ds, port);
phy_attach(slave_dev, dev_name(&p->phy->dev),
diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
index a777295..ccda096 100644
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -55,13 +55,13 @@
if (csum)
skb->encap_hdr_csum = 1;
- if (unlikely(!pskb_may_pull(skb, ghl)))
- goto out;
-
/* setup inner skb. */
skb->protocol = greh->protocol;
skb->encapsulation = 0;
+ if (unlikely(!pskb_may_pull(skb, ghl)))
+ goto out;
+
__skb_pull(skb, ghl);
skb_reset_mac_header(skb);
skb_set_network_header(skb, skb_inner_network_offset(skb));
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 9034f76..91014d3 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -46,6 +46,7 @@
if (unlikely(!pskb_may_pull(skb, len)))
break;
+ opth = (void *)skb->data;
proto = opth->nexthdr;
__skb_pull(skb, len);
}
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 6eab37c..58e5b47 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -485,11 +485,11 @@
*/
static int ipip6_err_gen_icmpv6_unreach(struct sk_buff *skb)
{
- const struct iphdr *iph = (const struct iphdr *) skb->data;
+ int ihl = ((const struct iphdr *)skb->data)->ihl*4;
struct rt6_info *rt;
struct sk_buff *skb2;
- if (!pskb_may_pull(skb, iph->ihl * 4 + sizeof(struct ipv6hdr) + 8))
+ if (!pskb_may_pull(skb, ihl + sizeof(struct ipv6hdr) + 8))
return 1;
skb2 = skb_clone(skb, GFP_ATOMIC);
@@ -498,7 +498,7 @@
return 1;
skb_dst_drop(skb2);
- skb_pull(skb2, iph->ihl * 4);
+ skb_pull(skb2, ihl);
skb_reset_network_header(skb2);
rt = rt6_lookup(dev_net(skb->dev), &ipv6_hdr(skb2)->saddr, NULL, 0, 0);